Home
Employee Data Privacy Policy

Employee Data Privacy Policy

Objective

Provide Internet Security Systems, Inc. (ISS) and its entities with consistent guidelines for collecting, processing, storing, transferring, disclosing, deleting and using Employment and/or Employee data. The ISS entities covered in this Policy are Internet Security Systems, Inc., a Georgia corporation, and/or any of its affiliates.

Scope

This policy is effective 12/03/04 and applies to all ISS entities, employees, contractors and third party vendors that collect, process, record, store, transfer, disclose, delete and/or use ISS Employment/Employee Data on ISS' behalf.

Employment/Employee Data includes any information about an identified or identifiable person that is obtained in the context of a person's working relationship with an ISS entity or third party vendor. Persons protected include job applicants, employees (including temporary, permanent and part-time), interns, contingent workers, retirees, and former employees, as well as any dependents or others whose personal data has been given to an ISS entity by such persons.

This Policy does not cover data rendered anonymous whereas individual persons are no longer identifiable; are identifiable only with a disproportionately large expense in time, cost, or labor; or situations in which pseudonyms are used. The use of pseudonyms involves the replacement of names or other identifiers with substitutes, so that identification of individual persons is either impossible or at least rendered considerably more difficult. If data rendered anonymous becomes no longer anonymous (i.e., individual persons are again identifiable), or if pseudonyms are used and the pseudonyms allow identification of individual persons, then this Policy will apply.

Policy Detail

Application of Local Law

This policy provides a standard for every ISS entity with respect to its protection of Employment/Employee Data globally. Certain local laws may require stricter standards. Therefore, we will handle this data in accordance with applicable laws and regulations at the place where the data is processed. Where applicable local law provides a lower level of protection of Employment/Employee Data than established by this Policy, then the requirements of this Policy apply. Questions about compliance with local law may be addressed to your local legal counsel.

"Sensitive Personal Information" is personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of an individual. If ISS collects Sensitive Personal Information from you, we will provide you with an affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by you. ISS will treat any information you provide and identify as sensitive as Sensitive Personal Information.

Employment/Employee Data Collection & Use Guidelines

ISS respects the privacy rights of each individual; therefore, all ISS entities, contractors and third party vendors will observe the following guidelines when processing, transferring, analyzing and/or using personal Employment/Employee Data:

Data will be collected, stored, transferred, processed, analyzed and used in accordance to ISS' established guidelines and in compliance with local laws/regulations in the territory where those activities occur.
Data will be collected for specified, legitimate purposes and not processed in ways incompatible with those purposes.
Data will be relevant to and not excessive for the purposes for which they are collected and used.
Data will be current and accurate with reasonable steps taken to rectify or delete inaccurate Employment/Employee Data.
Data will be kept only as long as necessary for the purposes for which it was collected and processed.
Appropriate measures will be taken to prevent unauthorized access, unlawful processing, and unauthorized or accidental loss, destruction, or damage to data.

Employment/Employee Data may be collected, stored, analyzed, shared and used for legitimate human resources, business, and safety/security purposes in accordance with this Policy and applicable law(s). The primary purposes for collection, storage and/or use of data include:

Human Resources Management: involves the collection, storage, analysis and sharing of data in order to attract, retain and motivate a highly qualified workforce. This includes, but is not limited to, recruiting, compensation planning, succession planning, reorganization needs, performance assessment, training, employee benefit administration, compliance with applicable legal requirements, and communication with employees and/or their representatives.
Business Processes and Management: involves processes used to run ISS' operations to include, but is not limited to, scheduling work assignments, managing company assets, reporting and/releasing public data (e.g., Annual Reports, etc.); and populating employee directories.
Safety and Security Management: involves activities that ensure the safety and protection of employees, assets, resources, and communities.

If an ISS entity introduces a new tool or process that will result in the processing of Employment/Employee Data for purposes that go beyond the above categories, then that entity must inform the employees of the new tool or process, the purposes for which the Employment/Employee Data will be used, and the categories of recipients of the data.

Sensitive Personal Data Categories

In limited circumstances where an ISS entity, or third party needs to collect Sensitive Personal Data such as racial or ethnic origin, religious or philosophical beliefs, political opinions, health or medical records, sexual life, trade union membership, criminal records, and other legally specified categories, ISS will ensure that the individual is notified of the reason for obtaining this data and with whom it will be shared. Contingent upon applicable law(s), ISS will obtain explicit consent from the individual regarding the processing and transfer of such data to non-ISS entities. Appropriate protection measures (e.g., physical security devices, encryption, and access restrictions) will be provided depending on the nature of data and the risks associated with the intended use.

Security and Confidentiality

ISS is committed to taking appropriate measures to protect Employment/Employee Data against unauthorized access or disclosure. These measures include:

Data Protection (Systems): To protect against unauthorized access to Employment and/or Employee Data by third parties and/or vendors, electronic data held by ISS entities are maintained on systems that are protected by secure network architectures that contain firewalls and intrusion detection devices. The servers holding this data are "backed up" (i.e., the data are recorded on separate media) on a regular basis to avoid the consequences of any inadvertent loss or destruction of data. The servers are stored in facilities with comprehensive security and fire detection and response systems.
Data Protection (Access): ISS entities limit access to internal systems that hold Employment/Employee Data to a select group of authorized users who are given access to such systems through the use of a unique identifier and password. Access to this data is limited to individuals for the purpose of performing their job duties (e.g., a compensation manager in human resources may need access to an employee's compensation data to make a salary recommendation, etc.). Decisions regarding access are made by assigned security administrators. Compliance with these provisions will be required of third-party administrators who may access certain Employment/Employee Data.
Training: ISS will conduct training to authorized users regarding the lawful and intended purposes of processing Employment/Employee Data, the need to protect and keep information accurate and up-to-date, and the need to maintain the confidentiality of the data to which employees have access. Authorized users will comply with this Policy, and ISS entities will take appropriate disciplinary actions, in accordance with applicable law, if Employment/Employee Data are accessed, processed, or used in any way that is inconsistent with the requirements of this Policy.

Employment/Employees' Rights and Responsibilities

An individual has the right to inquire as to the nature of the Employment/Employee Data stored or processed about him or her by any ISS entity or third party vendor. Employees will be provided access to their personal data as is required by law in their home countries, regardless of the location where data is stored or processed. An ISS entity processing such data will cooperate in providing such access either directly or through the employing entity. All such requests for access may be made to the employee's local human resources manager. If any Employment and/or Employee data is inaccurate or incomplete, the employee may request that the data be amended or if necessary, blocked or erased. Local laws that provide for employees to limit use of their personal data (e.g., right to object to marketing) will also be observed.

It is every individual's responsibility to provide the Human Resources Department with accurate data about him/herself and to inform Human Resources of any changes (e.g., new home address or change of name). If access or correction is denied, the reason for the denial will be communicated and a written record will be made of the request and reason for denial.

Transferring Data

ISS will use the following standards when transferring Employment/Employee Data.

Transfer to Other ISS Entities: ISS will ensure adequate protection for Employment/Employee Data processed or transferred between ISS entities. The following requirements must be met before a transfer will occur:

The transfer of the data is based on a clear business need;
The receiving entity provides appropriate physical and organizational security for the data; and
The receiving entity ensures compliance with this Policy for the transfer and any subsequent processing of the data.

Transfer to Non-ISS Entities: ISS entities may transfer Employment/Employee Data to selected external third parties that have been engaged to perform certain employment-related services. These third parties may only process the data in accordance with the ISS entity's instructions (data processors) or make decisions (e.g., to assess eligibility for supplemental life insurance, short-term disability benefit, etc.) regarding the data as part of the delivery of their services (data controllers). In either instance, ISS entities will select reliable suppliers who undertake, by contract or other legally binding and permissible means, to put in place appropriate technical and organizational security measures to ensure an adequate level of protection commensurate with their status as data processors or data controllers. ISS entities will require external third-party suppliers to comply with this Policy or to guarantee the same levels of protection as ISS when handling this data. Such selected third parties will have access to this data solely for the purposes of performing the services specified in the applicable service contract. If an ISS entity concludes that a supplier is not complying with these obligations, it will promptly take appropriate actions to remedy such non-compliance or implement necessary sanctions.

Occasionally, ISS entities may also be required to disclose certain Employment and/or Employee Data to other third parties as a matter of law (e.g., to tax and social security authorities, garnishments, etc.); to protect ISS' legal rights (e.g., to defend a litigation suit); or in an emergency where the health or security of an employee is endangered.

Direct Marketing

ISS entities will not disclose Employment/Employee Data to entities outside ISS or use non-work contact data (e.g., home address or telephone number) to offer any products or services to an employee for personal or familial consumption ("direct marketing") without his or her prior consent. Further, ISS will not use workplace contact data (e.g., work address or work e-mail address) to conduct direct marketing, unless (1) prior written approval has been obtained from the Vice President of Human Resources, in Atlanta, Georgia, U.S.A.; and (2) recipients are given an opportunity to opt-out of receiving further direct marketing communications (at any time).

The restrictions in this section apply only to contact data obtained in the context of a working relationship with ISS. They do not apply to contact data obtained separately in the context of a consumer or customer relationship to which other applicable legal provisions may apply. In addition, in the United States or elsewhere where permitted by law, ISS may communicate information to ISS employees about employee benefits or about ISS-supported charitable programs.

Automated Decisions

Some countries regulate the making of Automated Decisions, which are decisions about individuals that are based solely on the automated processing of data and that produce legal effects or that significantly affect the individuals involved. Except in very limited circumstances (e.g., the initial screening of some job seekers who express interest through online channels), ISS entities do not make Automated Decisions to evaluate employees or for other purposes. If Automated Decisions are made, affected persons' legal rights will be respected and affected individuals will be given an opportunity to express their views on the Automated Decision in question. If the person demonstrates that the purpose for which the data is being processed is no longer legal or appropriate, the data will be deleted, unless the law requires otherwise.

Enforcement Rights and Processes

All ISS entities will ensure that this Policy is observed. All employees, contractors and third party vendors who have access to Employment/Employee Data must comply with this Policy. In some countries, violations of data protection regulations may lead to penalties and/or claims for damages from the individuals who are adversely affected.

Failure to observe this Policy or deliberate breach of confidentiality or security in relation to Employment/Employee Data will result in disciplinary action against those individuals responsible. The course of action taken will follow the Company's Disciplinary Procedures as outlined in the Employee Handbook.

If at any time, an individual believes that personal data relating to him or her has been processed in violation of this Policy, he or she may report the concern to the local Human Resources manager or to the Vice President of Human Resources in Atlanta. If the concern relates to an alleged violation of this Policy by an entity located in a country other than that of the individual or the ISS entity exporting the Employment/Employee Data in question, he or she may request the assistance of that ISS exporting entity. That ISS entity will assist him or her in investigating the circumstances of the alleged violation and if necessary take that matter up with the entity importing that data. If the violation is confirmed, the exporting and importing entities will work together with any other relevant parties (including co-operating with competent national data protection authorities) to resolve the matter in a satisfactory manner, consistent with the provisions of this Policy.

The processes described in this Policy supplement any other remedies and dispute resolution processes provided by ISS and/or available under applicable law, which will be respected by ISS.

Audit Procedures

To further ensure enforcement of this Policy, the Vice President of Human Resources may identify Employment/Employee Data procedures that should be audited for compliance with this Policy and applicable data protection law. For this purpose, ISS will engage an independent third party to conduct the audit and take such corrective action if necessary to address any issues or problems that such audit reveals.

Communicating the Policy

In addition to management training, ISS will communicate this Policy to current and new employees by posting it on the intranet.

Modifications to the Policy

ISS reserves the right to modify this Policy as needed to reflect changes in laws, ISS practices and procedures, or requirements imposed by data protection authorities. The Vice President of Human Resources (in Atlanta), the General Counsel or their designee must approve all changes before they become effective. If changes occur, ISS will submit the revised Policy for renewed approval where required by law.

In addition, ISS will inform employees and other persons (e.g., persons accessing ISS websites to enter Employment Data such as job application information) of any material changes in the Policy. ISS will post all changes to the Policy on relevant internal and external websites.

Effective with the implementation of this Policy, all existing intra-group agreements and applicable company privacy guidelines or practices relating to the processing of Employment and/or Employee Data will be superseded by the terms of this Policy and modified accordingly. All parties to any such agreements will be notified of the effective date of implementation of the Policy.

Data Protection Authorities

ISS employees who receive requests and/or inquiries from data protection authorities about this Policy or compliance with applicable data protection and privacy laws should contact the local ISS Human Resources manager or ISS' Vice President of Human Resources (in Atlanta) to ensure ISS responds to the request in a timely and appropriate manner. Upon request, ISS will provide data protection authorities with the appropriate names and contact details of the relevant contact persons. With regards to Employment/Employee Data transferred between ISS entities, the importing and exporting ISS entities will each (i) respect the rights of the relevant data subjects under applicable data protection law; (ii) co-operate with inquiries from the data protection authority responsible for the entity exporting the data, and (iii) respect its advice or decisions, consistent with applicable law and due process rights.

Internal Obligations

In addition to any rights and obligations stated in this Policy or that otherwise exist, the following principles established in light of Directive 95/46/EC ("European Data Protection Directive") will apply to Employment/Employee Data collected by ISS entities in the European Union/European Economic Area and processed elsewhere. In jurisdictions where this applies, the enforcement rights and mechanisms mentioned in this Policy also apply. The following are not intended to grant employees further rights or establish further obligations beyond those already provided under the European Data Protection Directive:

Individuals may object to the processing of Employment/Employee Data about them on compelling legitimate grounds relating to their particular situation. This might occur, for instance, if the person's private or family life is compromised or their life or health is at risk due to the processing of the data. This provision shall not apply if the processing is (i) required by law, (ii) based on the person's individual consent, or (iii) necessary to fulfill a contractual obligation between the person and ISS.
After exhausting appropriate internal dispute resolution processes, individuals may seek compensatory damages from an ISS entity for loss or damage to them caused by a violation of this Policy by the ISS entity. The entity shall not be liable for damages if it has observed the standard of care appropriate in the circumstances.
If any of the terms or definitions used in this Policy are ambiguous, the definitions established under applicable local law within the relevant EU/EEA member state shall apply in respect of the data processing activities carried out there or where there are no such definitions under applicable local law; the definitions of the European Data Protection Directive shall apply.